原帖地址:http://www.xuepojie.com/thread-25295-1-1.html
CM下载:http://www.vdisk.cn/down/index/19539563
因为最近在研究算法,所以玩了一下群里的朋友一个追码CM,其实这个也不算追码吧,有些追出密码的感觉,追码是每个电脑的注册码都不一样的才叫追码,好吧,还是不扯这些了,不管它是不是追码,只要能破解出来就好了。
这个CM输入错误没有任何提示,所以不能下message box 断点
不过知道是易语言写的,我们直接下 FF55fc5f5e 就能找到关键位置了
004010CB /. 55 push ebp
004010CC |. 8BEC mov ebp,esp
004010CE |. 81EC 14000000 sub esp,0x14
004010D4 |. 68 00000000 push 0x0
004010D9 |. BB B0164000 mov ebx,追码CM.004016B0
004010DE |. E8 43040000 call 追码CM.00401526
004010E3 |. 83C4 04 add esp,0x4
004010E6 |. 8945 FC mov [local.1],eax
004010E9 |. 68 00000000 push 0x0
004010EE |. BB D0164000 mov ebx,追码CM.004016D0
004010F3 |. E8 2E040000 call 追码CM.00401526
004010F8 |. 83C4 04 add esp,0x4
004010FB |. 8945 F8 mov [local.2],eax
004010FE |. FF75 F8 push [local.2]
00401101 |. 68 D0D54700 push 追码CM.0047D5D0
00401106 |. FF75 FC push [local.1]
00401109 |. B9 03000000 mov ecx,0x3
0040110E |. E8 5CFFFFFF call 追码CM.0040106F
00401113 |. 83C4 0C add esp,0xC
00401116 |. 8945 F4 mov [local.3],eax
00401119 |. 8B5D FC mov ebx,[local.1]
0040111C |. 85DB test ebx,ebx
0040111E |. 74 09 je short 追码CM.00401129
00401120 |. 53 push ebx
00401121 |. E8 FA030000 call 追码CM.00401520
00401126 |. 83C4 04 add esp,0x4
00401129 |> 8B5D F8 mov ebx,[local.2]
0040112C |. 85DB test ebx,ebx
0040112E |. 74 09 je short 追码CM.00401139
00401130 |. 53 push ebx
00401131 |. E8 EA030000 call 追码CM.00401520
00401136 |. 83C4 04 add esp,0x4
00401139 |> 8B45 F4 mov eax,[local.3]
0040113C |. 50 push eax
0040113D |. 8B1D 80D56C00 mov ebx,dword ptr ds:[0x6CD580]
00401143 |. 85DB test ebx,ebx
00401145 |. 74 09 je short 追码CM.00401150
00401147 |. 53 push ebx
00401148 |. E8 D3030000 call 追码CM.00401520
0040114D |. 83C4 04 add esp,0x4
00401150 |> 58 pop eax ; 追码CM.006D96B0
00401151 |. A3 80D56C00 mov dword ptr ds:[0x6CD580],eax
00401156 |. 68 010100A0 push 0xA0000101
0040115B |. 6A 00 push 0x0
0040115D |. 68 D2D54700 push 追码CM.0047D5D2
00401162 |. 68 01000000 push 0x1
00401167 |. BB B0174000 mov ebx,追码CM.004017B0
0040116C |. E8 B5030000 call 追码CM.00401526
00401171 |. 83C4 10 add esp,0x10
00401174 |. 8945 FC mov [local.1],eax
00401177 |. 68 010100A0 push 0xA0000101
0040117C |. 6A 00 push 0x0
0040117E |. 68 E4D54700 push 追码CM.0047D5E4
00401183 |. 68 01000000 push 0x1
00401188 |. BB B0174000 mov ebx,追码CM.004017B0
0040118D |. E8 94030000 call 追码CM.00401526
00401192 |. 83C4 10 add esp,0x10
00401195 |. 8945 F8 mov [local.2],eax
00401198 |. FF75 F8 push [local.2]
0040119B |. FF75 FC push [local.1]
0040119E |. B9 02000000 mov ecx,0x2
004011A3 |. E8 C7FEFFFF call 追码CM.0040106F
004011A8 |. 83C4 08 add esp,0x8
004011AB |. 8945 F4 mov [local.3],eax
004011AE |. 8B5D FC mov ebx,[local.1]
004011B1 |. 85DB test ebx,ebx
004011B3 |. 74 09 je short 追码CM.004011BE
004011B5 |. 53 push ebx
004011B6 |. E8 65030000 call 追码CM.00401520
004011BB |. 83C4 04 add esp,0x4
004011BE |> 8B5D F8 mov ebx,[local.2]
004011C1 |. 85DB test ebx,ebx
004011C3 |. 74 09 je short 追码CM.004011CE
004011C5 |. 53 push ebx
004011C6 |. E8 55030000 call 追码CM.00401520
004011CB |. 83C4 04 add esp,0x4
004011CE |> 68 04000080 push 0x80000004
004011D3 |. 6A 00 push 0x0
004011D5 |. 8B45 F4 mov eax,[local.3]
004011D8 |. 85C0 test eax,eax
004011DA |. 75 05 jnz short 追码CM.004011E1
004011DC |. B8 F4D54700 mov eax,追码CM.0047D5F4
004011E1 |> 50 push eax
004011E2 |. 68 01000000 push 0x1
004011E7 |. BB C0184000 mov ebx,追码CM.004018C0
004011EC |. E8 35030000 call 追码CM.00401526
004011F1 |. 83C4 10 add esp,0x10
004011F4 |. 8945 F0 mov [local.4],eax
004011F7 |. 8B5D F4 mov ebx,[local.3]
004011FA |. 85DB test ebx,ebx
004011FC |. 74 09 je short 追码CM.00401207
004011FE |. 53 push ebx
004011FF |. E8 1C030000 call 追码CM.00401520
00401204 |. 83C4 04 add esp,0x4
00401207 |> 837D F0 00 cmp [local.4],0x0
0040120B |. 0F85 DA010000 jnz 追码CM.004013EB 这个大的跳转不用管它 我们也不需要知道这里判断了什么
00401211 |. 68 010100A0 push 0xA0000101
00401216 |. 6A 00 push 0x0
00401218 |. 68 D2D54700 push 追码CM.0047D5D2
0040121D |. 68 01000000 push 0x1
00401222 |. BB B0174000 mov ebx,追码CM.004017B0
00401227 |. E8 FA020000 call 追码CM.00401526
0040122C |. 83C4 10 add esp,0x10
004013EB |> 68 010100A0 push 0xA0000101
004013F0 |. 6A 00 push 0x0
004013F2 |. 68 D2D54700 push 追码CM.0047D5D2
004013F7 |. 68 01000000 push 0x1
004013FC |. BB B0174000 mov ebx,追码CM.004017B0
00401401 |. E8 20010000 call 追码CM.00401526
00401406 |. 83C4 10 add esp,0x10
00401409 |. 8945 FC mov [local.1],eax
0040140C |. 68 010100A0 push 0xA0000101
00401411 |. 6A 00 push 0x0
00401413 |. 68 E4D54700 push 追码CM.0047D5E4
00401418 |. 68 01000000 push 0x1
0040141D |. BB B0174000 mov ebx,追码CM.004017B0
00401422 |. E8 FF000000 call 追码CM.00401526
00401427 |. 83C4 10 add esp,0x10
0040142A |. 8945 F8 mov [local.2],eax
0040142D |. FF75 F8 push [local.2]
00401430 |. FF75 FC push [local.1] ; 追码CM.004010CB
00401433 |. B9 02000000 mov ecx,0x2
00401438 |. E8 32FCFFFF call 追码CM.0040106F
0040143D |. 83C4 08 add esp,0x8
00401440 |. 8945 F4 mov [local.3],eax
00401443 |. 8B5D FC mov ebx,[local.1] ; 追码CM.004010CB
00401446 |. 85DB test ebx,ebx
00401448 |. 74 09 je short 追码CM.00401453
0040144A |. 53 push ebx
0040144B |. E8 D0000000 call 追码CM.00401520
00401450 |. 83C4 04 add esp,0x4
00401453 |> 8B5D F8 mov ebx,[local.2]
00401456 |. 85DB test ebx,ebx
00401458 |. 74 09 je short 追码CM.00401463
0040145A |. 53 push ebx
0040145B |. E8 C0000000 call 追码CM.00401520
00401460 |. 83C4 04 add esp,0x4
00401463 |> 8965 F0 mov [local.4],esp
00401466 |. FF75 F4 push [local.3]
00401469 |. B8 00000000 mov eax,0x0
0040146E |. E8 BF000000 call 追码CM.00401532 ; 调用了 LoadLibraryA
00401473 |. 3965 F0 cmp [local.4],esp
00401476 |. 74 0D je short 追码CM.00401485
00401478 |. 68 06000000 push 0x6
0040147D |. E8 AA000000 call 追码CM.0040152C
00401482 |. 83C4 04 add esp,0x4
00401485 |> 8B5D F4 mov ebx,[local.3]
00401488 |. 85DB test ebx,ebx
0040148A |. 74 09 je short 追码CM.00401495
0040148C |. 53 push ebx
0040148D |. E8 8E000000 call 追码CM.00401520
00401492 |. 83C4 04 add esp,0x4
00401495 |> 6A 00 push 0x0
00401497 |. 6A 00 push 0x0
00401499 |. 6A 00 push 0x0
0040149B |. 68 01000100 push 0x10001
004014A0 |. 68 00000106 push 0x6010000
004014A5 |. 68 01000152 push 0x52010001
004014AA |. 68 02000000 push 0x2
004014AF |. BB E0194000 mov ebx,追码CM.004019E0
004014B4 |. E8 6D000000 call 追码CM.00401526
004014B9 |. 83C4 1C add esp,0x1C
004014BC |> 8BE5 mov esp,ebp
004014BE |. 5D pop ebp ; 追码CM.00416A70
004014BF . C3 retn
0012FCD8 00401473 /CALL 到 LoadLibraryA 来自 追码CM.0040146E
0012FCDC 001F7EA0 FileName = "C:Windowsdcb.dll"
0012FCE0 006D96B0 ASCII "揽j"
我们可以看到程序调用了一个dll 这个就是破解关键,因为算法什么的都在里面。
所以我们来到这个dll处 下易语言的按钮事件 不这样做的话,是断不下来的。
输入图一的假码,然后开始跟踪分析!
05D410F1 55 push ebp
05D410F2 8BEC mov ebp,esp
05D410F4 81EC 08000000 sub esp,0x8
05D410FA E8 B4020000 call dcb.05D413B3
05D410FF 68 010100A0 push 0xA0000101
05D41104 6A 00 push 0x0
05D41106 68 3439DC05 push dcb.05DC3934
05D4110B 68 01000000 push 0x1
05D41110 BB 1040D405 mov ebx,dcb.05D44010
05D41115 E8 AC2B0000 call dcb.05D43CC6
05D4111A 83C4 10 add esp,0x10
05D4111D 8945 FC mov dword ptr ss:[ebp-0x4],eax
05D41120 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05D41123 50 push eax
05D41124 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]
05D4112A 85DB test ebx,ebx
05D4112C 74 09 je short dcb.05D41137
05D4112E 53 push ebx
05D4112F E8 8C2B0000 call dcb.05D43CC0
05D41134 83C4 04 add esp,0x4
05D41137 58 pop eax
05D41138 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax
05D4113D 68 010100A0 push 0xA0000101
05D41142 6A 00 push 0x0
05D41144 68 3439DC05 push dcb.05DC3934
05D41149 68 01000000 push 0x1
05D4114E BB 1040D405 mov ebx,dcb.05D44010
05D41153 E8 6E2B0000 call dcb.05D43CC6
05D41158 83C4 10 add esp,0x10
05D4115B 8945 FC mov dword ptr ss:[ebp-0x4],eax
05D4115E 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05D41161 50 push eax
05D41162 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]
05D41168 85DB test ebx,ebx
05D4116A 74 09 je short dcb.05D41175
05D4116C 53 push ebx
05D4116D E8 4E2B0000 call dcb.05D43CC0
05D41172 83C4 04 add esp,0x4
05D41175 58 pop eax
05D41176 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax
05D4117B 68 010100A0 push 0xA0000101
05D41180 6A 00 push 0x0
05D41182 68 3439DC05 push dcb.05DC3934
05D41187 68 01000000 push 0x1
05D4118C BB 1040D405 mov ebx,dcb.05D44010
05D41191 E8 302B0000 call dcb.05D43CC6
05D41196 83C4 10 add esp,0x10
05D41199 8945 FC mov dword ptr ss:[ebp-0x4],eax
05D4119C 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05D4119F 50 push eax
05D411A0 8B1D C035F505 mov ebx,dword ptr ds:[0x5F535C0]
05D411A6 85DB test ebx,ebx
05D411A8 74 09 je short dcb.05D411B3
05D411AA 53 push ebx
05D411AB E8 102B0000 call dcb.05D43CC0
05D411B0 83C4 04 add esp,0x4
05D411B3 58 pop eax
05D411B4 A3 C035F505 mov dword ptr ds:[0x5F535C0],eax
05D411B9 68 01030080 push 0x80000301
05D411BE 6A 00 push 0x0
05D411C0 68 01000000 push 0x1
05D411C5 68 01000000 push 0x1
05D411CA BB 1040D405 mov ebx,dcb.05D44010
05D411CF E8 F22A0000 call dcb.05D43CC6
05D411D4 83C4 10 add esp,0x10
05D411D7 8945 FC mov dword ptr ss:[ebp-0x4],eax
05D411DA 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05D411DD 50 push eax
05D411DE FF35 C035F505 push dword ptr ds:[0x5F535C0]
05D411E4 E8 6BFEFFFF call dcb.05D41054
05D411E9 83C4 08 add esp,0x8
05D411EC 83F8 00 cmp eax,0x0
05D411EF B8 00000000 mov eax,0x0
05D411F4 0f94c0 sete al
05D411F7 8945 F8 mov dword ptr ss:[ebp-0x8],eax
05D411FA 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
05D411FD 85DB test ebx,ebx
05D411FF 74 09 je short dcb.05D4120A
05D41201 53 push ebx
05D41202 E8 B92A0000 call dcb.05D43CC0
05D41207 83C4 04 add esp,0x4
05D4120A 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
05D4120E 0F84 00000000 je dcb.05D41214
05D41214 E8 DD020000 call dcb.05D414F6 ; F7进入
05D41219 68 010100A0 push 0xA0000101
05D4121E 6A 00 push 0x0
05D41220 68 3439DC05 push dcb.05DC3934
05D41225 68 01000000 push 0x1
05D4122A BB 1040D405 mov ebx,dcb.05D44010
调试期间可以看到很多123123123 这个我们先不用管他
05C81649 83C4 04 add esp,0x4
05C8164C 58 pop eax
05C8164D A3 C035E905 mov dword ptr ds:[0x5E935C0],eax
05C81652 6A FF push -0x1
05C81654 6A 08 push 0x8
05C81656 68 05000116 push 0x16010005
05C8165B 68 04000152 push 0x52010004
05C81660 E8 79260000 call dcb.05C83CDE
05C81665 83C4 10 add esp,0x10 ; 假码
05C81668 8945 FC mov dword ptr ss:[ebp-0x4],eax
05C8166B 68 04000080 push 0x80000004
05C81670 6A 00 push 0x0
05C81672 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05C81675 85C0 test eax,eax
05C81677 75 05 jnz short dcb.05C8167E
05C81679 B8 4539D005 mov eax,dcb.05D03945
05C8167E 50 push eax
05C8167F 68 01000000 push 0x1
05C81684 BB B03DC805 mov ebx,dcb.05C83DB0
05C81689 E8 38260000 call dcb.05C83CC6
05C8168E 83C4 10 add esp,0x10 ; 获得假码长度
05C81691 8945 F8 mov dword ptr ss:[ebp-0x8],eax
05C81694 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
05C81697 85DB test ebx,ebx ; dcb.05C83DB0
05C81699 74 09 je short dcb.05C816A4
05C8169B 53 push ebx ; dcb.05C83DB0
05C8169C E8 1F260000 call dcb.05C83CC0
05C816A1 83C4 04 add esp,0x4
05C816A4 837D F8 12 cmp dword ptr ss:[ebp-0x8],0x12 ; 对比长度是否等于18
05C816A8 0F84 0A000000 je dcb.05C816B8
05C816AE /E9 5D010000 jmp dcb.05C81810
05C816B3 |E9 05000000 jmp dcb.05C816BD
05C816B8 |E8 57010000 call dcb.05C81814 F7进入这个call
05C816BD |68 010100A0 push 0xA0000101
05C816C2 |6A 00 push 0x0
05C816C4 |68 3439D005 push dcb.05D03934
05C816C9 |68 01000000 push 0x1
05C816CE |BB 1040C805 mov ebx,dcb.05C84010
05C816D3 |E8 EE250000 call dcb.05C83CC6
长度这个不用多说了,肯定长度要有18位数
05C818A2 83C4 04 add esp,0x4
05C818A5 58 pop eax
05C818A6 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax
05C818AB 68 010100A0 push 0xA0000101
05C818B0 6A 00 push 0x0
05C818B2 68 4639D005 push dcb.05D03946
05C818B7 68 01000000 push 0x1
05C818BC BB 1040C805 mov ebx,dcb.05C84010
05C818C1 E8 00240000 call dcb.05C83CC6
05C818C6 83C4 10 add esp,0x10 ; 521
05C818C9 8945 FC mov dword ptr ss:[ebp-0x4],eax
05C818CC 6A FF push -0x1
05C818CE 6A 08 push 0x8
05C818D0 68 05000116 push 0x16010005
05C818D5 68 04000152 push 0x52010004
05C818DA E8 FF230000 call dcb.05C83CDE
05C818DF 83C4 10 add esp,0x10 ; 假码
05C818E2 8945 F8 mov dword ptr ss:[ebp-0x8],eax
05C818E5 68 02000080 push 0x80000002
05C818EA 6A 00 push 0x0
05C818EC 68 01000000 push 0x1
05C818F1 68 01030080 push 0x80000301
05C818F6 6A 00 push 0x0
05C818F8 68 03000000 push 0x3
05C818FD 68 04000080 push 0x80000004
05C81902 6A 00 push 0x0
05C81904 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05C81907 85C0 test eax,eax
05C81909 75 05 jnz short dcb.05C81910
05C8190B B8 4539D005 mov eax,dcb.05D03945
05C81910 50 push eax
05C81911 68 04000080 push 0x80000004
05C81916 6A 00 push 0x0
05C81918 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
05C8191B 85C0 test eax,eax
05C8191D 75 05 jnz short dcb.05C81924
05C8191F B8 4539D005 mov eax,dcb.05D03945
05C81924 50 push eax
05C81925 68 04000000 push 0x4
05C8192A BB 303FC805 mov ebx,dcb.05C83F30
05C8192F E8 92230000 call dcb.05C83CC6 ; 这个call是关键的对比函数 如果不相等的话会返回-1
05C81934 83C4 34 add esp,0x34
05C81937 8945 F4 mov dword ptr ss:[ebp-0xC],eax
05C8193A 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
05C8193D 85DB test ebx,ebx ; dcb.05C83F30
05C8193F 74 09 je short dcb.05C8194A
05C81941 53 push ebx ; dcb.05C83F30
05C81942 E8 79230000 call dcb.05C83CC0
但是我们不知道“521”和哪几位对比
其实前面也有这个对比函数,我刚才不是说了前面很多123123123之类的东西,然后如果对比不正确的话就返回-1吗,然而上面和程序所对比的不一样也不会返回-1,所以假码前面几位肯定是可以随便输入的
其实大家可以测试下,前面随便填几位数,然后后面接上521,看看什么时候经过不返回-1,这样就说明你填对了。
经过反复调试,假码前8位可以随便填,接着填上521 他这个CM是一步走对了才会进入下一步,不然某个情节错误了,他就直接返回无任何提示。
05C8192F E8 92230000 call dcb.05C83CC6 ; 这个call是关键的对比函数
05C81934 83C4 34 add esp,0x34
05C81937 8945 F4 mov dword ptr ss:[ebp-0xC],eax
05C8193A 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
05C8193D 85DB test ebx,ebx
05C8193F 74 09 je short dcb.05C8194A
05C81941 53 push ebx
05C81942 E8 79230000 call dcb.05C83CC0
05C81947 83C4 04 add esp,0x4
05C8194A 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
05C8194D 85DB test ebx,ebx
05C8194F 74 09 je short dcb.05C8195A
05C81951 53 push ebx
05C81952 E8 69230000 call dcb.05C83CC0
05C81957 83C4 04 add esp,0x4
05C8195A 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
05C8195D A3 C435E905 mov dword ptr ds:[0x5E935C4],eax -1给了这个全局变量
05C81962 68 010100A0 push 0xA0000101
05C81967 6A 00 push 0x0
05C81969 68 3439D005 push dcb.05D03934
05C8196E 68 01000000 push 0x1
05C81973 BB 1040C805 mov ebx,dcb.05C84010
05C81978 E8 49230000 call dcb.05C83CC6
05C819D5 83C4 04 add esp,0x4
05C819D8 58 pop eax
05C819D9 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax
05C819DE 833D C435E905 F>cmp dword ptr ds:[0x5E935C4],-0x1 和刚才得出的-1进行对比
05C819E5 0F84 0A000000 je dcb.05C819F5 相等的话就跳过call
05C819EB E8 71010000 call dcb.05C81B61 这个call是继续执行验证的下一步
05C819F0 E9 05000000 jmp dcb.05C819FA
05C819F5 E9 63010000 jmp dcb.05C81B5D
05C819FA EB 0E jmp short dcb.05C81A0A
05C819FC 56 push esi ; dcb.05E9F700
05C819FD 4D dec ebp
05C819FE 50 push eax
所以这里的跳转是不能跳的。
其实分析到这里后面基本不用怎么分析,因为都是一样的流程
05C81BEF 83C4 04 add esp,0x4
05C81BF2 58 pop eax ; dcb.05C9B721
05C81BF3 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax
05C81BF8 68 010100A0 push 0xA0000101
05C81BFD 6A 00 push 0x0
05C81BFF 68 5139D005 push dcb.05D03951
05C81C04 68 01000000 push 0x1
05C81C09 BB 1040C805 mov ebx,dcb.05C84010
05C81C0E E8 B3200000 call dcb.05C83CC6
05C81C13 83C4 10 add esp,0x10 ; 4204
05C81C16 8945 FC mov dword ptr ss:[ebp-0x4],eax
05C81C19 6A FF push -0x1
05C81C1B 6A 08 push 0x8
05C81C1D 68 05000116 push 0x16010005
05C81C22 68 04000152 push 0x52010004
05C81C27 E8 B2200000 call dcb.05C83CDE
05C81C2C 83C4 10 add esp,0x10 ; 假码
05C81C2F 8945 F8 mov dword ptr ss:[ebp-0x8],eax
05C81C32 68 02000080 push 0x80000002
05C81C37 6A 00 push 0x0
05C81C39 68 01000000 push 0x1
05C81C3E 68 01030080 push 0x80000301
05C81C43 6A 00 push 0x0
05C81C45 68 06000000 push 0x6
05C81C4A 68 04000080 push 0x80000004
05C81C4F 6A 00 push 0x0
05C81C51 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
05C81C54 85C0 test eax,eax
05C81C56 75 05 jnz short dcb.05C81C5D
05C81C58 B8 4539D005 mov eax,dcb.05D03945
05C81C5D 50 push eax
05C81C5E 68 04000080 push 0x80000004
05C81C63 6A 00 push 0x0
05C81C65 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
05C81C68 85C0 test eax,eax
05C81C6A 75 05 jnz short dcb.05C81C71
05C81C6C B8 4539D005 mov eax,dcb.05D03945
05C81C71 50 push eax
05C81C72 68 04000000 push 0x4
05C81C77 BB 303FC805 mov ebx,dcb.05C83F30
05C81C7C E8 45200000 call dcb.05C83CC6 ; 对比函数
05C81C81 83C4 34 add esp,0x34
05C81C84 8945 F4 mov dword ptr ss:[ebp-0xC],eax
05C81C87 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
05C81C8A 85DB test ebx,ebx ; dcb.05C83F30
05C81C8C 74 09 je short dcb.05C81C97
05C81C8E 53 push ebx ; dcb.05C83F30
05C81C8F E8 2C200000 call dcb.05C83CC0
05C81C94 83C4 04 add esp,0x4
05C81C97 8B5D FC mov ebx,dword ptr ss:[ebp-0x4]
05C81C9A 85DB test ebx,ebx ; dcb.05C83F30
05C81C9C 74 09 je short dcb.05C81CA7
05C81C9E 53 push ebx ; dcb.05C83F30
05C81C9F E8 1C200000 call dcb.05C83CC0
05C81CA4 83C4 04 add esp,0x4
05C81CA7 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
05C81CAA A3 C835E905 mov dword ptr ds:[0x5E935C8],eax
05C81CAF 68 010100A0 push 0xA0000101
05C81CB4 6A 00 push 0x0
05C81CB6 68 3439D005 push dcb.05D03934
05C81CBB 68 01000000 push 0x1
05C81CC0 BB 1040C805 mov ebx,dcb.05C84010
05C81CC5 E8 FC1F0000 call dcb.05C83CC6
标记红色的为关键
看到了吧,继续下面和4204进行对比,正确了继续执行下一个对比,错误就直接over
05C81D22 83C4 04 add esp,0x4
05C81D25 58 pop eax ; dcb.05C9B721
05C81D26 A3 C035E905 mov dword ptr ds:[0x5E935C0],eax
05C81D2B 833D C835E905 F>cmp dword ptr ds:[0x5E935C8],-0x1
05C81D32 0F84 0A000000 je dcb.05C81D42
05C81D38 E8 71010000 call dcb.05C81EAE
05C81D3D E9 05000000 jmp dcb.05C81D47
05C81D42 E9 63010000 jmp dcb.05C81EAA
05C81D47 68 010100A0 push 0xA0000101
05C81D4C 6A 00 push 0x0
05C81D4E 68 3439D005 push dcb.05D03934
05C81D53 68 01000000 push 0x1
05C81D58 BB 1040C805 mov ebx,dcb.05C84010
继续下一个对比
和D对比
接着和A对比
好了,这个CM的密码就出来了
总结:
1.前面8位可以任意填写
2.后面必须是5214204/DA